Jump to content

Cisco Linksys EA Series Vulnerability


potato

Recommended Posts

I ran a port scan on my network over a VPN because I was curious to see what ports were open, one of the open ports was 8083. So I enter my ip :8083 in to Firefox and the admin interface popped up without asking me for the password and did allow me to make changes to the router. I have remote management turned off. The router is an EA2700, we have also confirmed that the EA3500 is vulnerable too. The e2500 and e1000 don't appear to be vulnerable. This is a huge issue and I would have expected better out of Cisco, they made amazing enterprise stuff and then sell polished turds so consumers. If anyone else has access to one of the newer Cisco linksys, please test this out I would like to get a list going of vulnerable routers. The ea2700 was on FW 1.0.14.

Edit, I updated the firmware and the Vulnerability has been patched in the new and ugly "smart wi-fi" firmware.

Edit 2: You can still get to the login page on the new firmware on port 10080, however you can not login, even with the correct password it will tell you there was an error. also you can login correctly if you have the right password on port 52000

Edit 3: As it turns out the latest version of the "Classic" or "Cisco Connect" firmware for all of the EA Series routers, EA2700, EA3500, EA4500 and the E4200v2 are vulnerable to this, and Linksys doesn't give a shit because the new and crappy "Smart Wifi" firmware is not affected by this. I upgraded my router to the "Smart wifi" firmware and now my IRC sessions randomly drop. The DD-WRT port for the EA2700 is not done yet and the EA3500 as well as the EA4500 and E4200v2 are based on marvel chipsets. Also AFAIK you have to manually upgrade to the "Smart wifi" firmware, I had auto updating enabled and mine was never updated.

The last "Classic" firmware for each router is listed below:

EA4500: 2.0.37

EA3500: 1.0.30

EA2700: 1.0.14

EA4200v2 :2.0.37

Edited by computerchris
Link to comment
Share on other sites

I was litterally just about to post this same thing! I did a port scan last night around 3 am and was completely shocked! I thought it was just me having a bad configuration on my router so I reset it and made sure to that remote management was off and it was still there! To fix it I just forwarded port 80 and 443 to non existent hosts on my network. I have an E1200 so add that to your list!

Link to comment
Share on other sites

Of course but if that happens no matter how you configure remote management and no one changes the default passwords that is still pretty vulnerable.

Link to comment
Share on other sites

Internal scans are different from results by an external scan using tools like nmap. Use a VPN or Proxy and scan from an external machine to your home IP. Be surprised the difference in what says its open and what is not, and they shouldn't give the same results either.

NAT and the router itself should, by default, reject everything unless remote administration is truly enabled or you port forward a service, it will return the port forwarded. Be sure to use --open and --reason in your nmap scans too.

Link to comment
Share on other sites

Internal scans are different from results by an external scan using tools like nmap. Use a VPN or Proxy and scan from an external machine to your home IP. Be surprised the difference in what says its open and what is not, and they shouldn't give the same results either.

NAT and the router itself should, by default, reject everything unless remote administration is truly enabled or you port forward a service, it will return the port forwarded. Be sure to use --open and --reason in your nmap scans too.

All of the Scans were done from the outside via a vpn.

Link to comment
Share on other sites

All of the Scans were done from the outside via a vpn.

Then THAT is def an issue you need to lock down. Did your original post say it was from outside the network though? Maybe I missed that first reading. See original post edited.
Link to comment
Share on other sites

Then THAT is def an issue you need to lock down. Did your original post say it was from outside the network though? Maybe I missed that first reading. See original post edited.

I think you missed it on your first read, but you can just go on shodanhq.com and type in "Linksys EA" and find probably tens of thousands of vulnerable routers and exploit them if you please. Not that I condone doing that.

Edited by computerchris
Link to comment
Share on other sites

This is an interesting thread, the other I ran Nmap against my Asus router and found about 4 different ports opened.

This was an internal scan, so all good. I am going to do an external scan, to see what interesting results I might get.

Link to comment
Share on other sites

Speaking of access points that make you go WTF!! EnGenius EAP9550 has ssh enabled with the following default user:pass, Administrator:admin, admin:admin, login:admin, and manager:admin. SSH isn't a configurable option, and these are burned in accounts.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...